Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
0
Helpful
2
Replies

RADIUS Config

Go to solution
stephen.pugh
Level 1
Level 1

‎11-12-2014 03:30 PM - edited ‎03-07-2019 09:29 PM

Hi

I am looking to deploy a simple RADIUS solution and I'm having some issues.  I would like to have RADIUS authentication for selected Active Directory users.  Should the RADIUS server become unavailable, I would like to be able to log in to the switch using the switch local admin account. This is not working with my current configuration.

My users:

User 1: testuser

User 2: admin (local switch admin)

User 1 can authenticate to the switch via RADIUS and cannot authenticate to the locally (as I have not included User 1 in the local db on purpose). 

User 2 cannot authenticate using RADIUS as expected however cannot log on to the switch locally either which is expected.  This is not working properly. 

 

My configuration:

username admin privilege 15 secret Password1

aaa new-model

aaa group server radius IAS
 server 192.168.193.162 auth-port 1812 acct-port 1813

aaa authentication login userAuthentication group radius local enable
aaa authorization config-commands
aaa authorization exec userAuthorisation group IAS group radius local

aaa session-id common

line con 0
 logging synchronous

line vty 0 4
 authorization exec userAuthorisation
 login authentication userAuthentication

line vty 5 15
 authorization exec userAuthorisation
 login authentication userAuthentication

 

Can anyone see what I'm doing wrong?

Thanks in advance :D

SteveP

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎11-12-2014 03:49 PM

Steve,

In your current setup, I think you're going to have a problem. If the radius server is up at all, it will just send a reject back to the router should it either not find a user or the user have the incorrect password. The only way the router will failover to the local database is if the radius server isn't available at all.

You can set the local database first in aaa and then configure the radius server. The admin user will be able to log in using the local database, but the user will not be able to since they're not in there. If the user simply wasn't found in the local database, you would roll over to the radius server and authenticate there.

Soooo, try to flip your command from:

aaa authentication login userAuthentication group radius local enable

to:

aaa authentication login userAuthentication local group radius enable

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
2 Replies 2

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎11-12-2014 03:49 PM

Steve,

In your current setup, I think you're going to have a problem. If the radius server is up at all, it will just send a reject back to the router should it either not find a user or the user have the incorrect password. The only way the router will failover to the local database is if the radius server isn't available at all.

You can set the local database first in aaa and then configure the radius server. The admin user will be able to log in using the local database, but the user will not be able to since they're not in there. If the user simply wasn't found in the local database, you would roll over to the radius server and authenticate there.

Soooo, try to flip your command from:

aaa authentication login userAuthentication group radius local enable

to:

aaa authentication login userAuthentication local group radius enable

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
stephen.pugh
Level 1
Level 1
In response to John Blakley

‎11-13-2014 03:22 PM

Hi John

That worked a treat.  Thank you very much. 

Cheers

SteveP :D

0 Helpful
Customers Also Viewed These Support Documents